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ABSTRACT. The higher-order 7l-calculus is an extension of the 7t-calculus to allow communication 
of abstractions of processes rather than names alone. It has been studied intensively by Sangiorgi in 
his thesis where a characterisation of a contextual equivalence for higher-order 7t-calculus is provided 
using labelled transition systems and normal bisimulations. Unfortunately the proof technique used 
there requires a restriction of the language to only allow finite types. 

We revisit this calculus and offer an alternative presentation of the labelled transition system and 
a novel proof technique which allows us to provide a fully abstract characterisation of contextual 
equivalence using labelled transitions and bisimulations for higher-order 7t-calculus with recursive 
types also. 


1. Introduction 

It is evident that there is growing interest in the study of mobile code in process languages 
BHDEHU. It is also clear that there is some relationship between the use of higher-order features 
and mobility. Indeed, code mobility can be expressed as communication of process abstractions. 
For this reason then it is important for us to develop a clear understanding of the use of higher-order 
features in process languages. 

Work towards this began several years ago with various proposals for higher-order versions of 
known calculi Oil, including the higher-order 7t-calculus or H07t HD|. This calculus was studied 
intensively by Sangiorgi and one of his achievements was to provide a translation of the higher- 
order language which supports code mobility, to a first-order 7i-calculus which supports only name 
mobility. This translation is proved to be fully abstract with respect to barbed congruence, but with 
the restriction to a language of finite types. 

While the translation is of interest in its own right, it also turned out to be very useful for pro¬ 
viding a powerful fully abstract characterisation of barbed congruence in terms of labelled transition 
systems and normal bisimulations. Providing direct proof techniques for contextual equivalences 
in higher-order process languages is often considered to be hard fI31 . In this paper, the difficulty 
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arises in establishing soundness of the proof technique, which is tantamount to establishing some 
sort of contextuality property. It has been seen that the use of a translation of higher- to first-order 
communication can alleviate this problem and such translations have been employed to this effect 

mm. 

However, due to the restriction to finite types for the correctness of these translations, the 
soundness of the proof technique is only guaranteed for finite types. Given that recursive types are 
used extensively in 7t-calculus, for encodings of datatypes and functions, this poses a significant 
restriction. Sangiorgi has shown that by studying various subcalculi, such as the asynchronous 71- 
calculus, he is able to remove the restriction to finite types cm. To date, there has been no proof of 
full abstraction for full H07t in the presence of recursive types. 

In this paper we present an alternative description of labelled transition systems and normal 
bisimulations for H07t, which is informed by Sangiorgi’s translation of higher-order to first-order 
communication. Our alternative presentation allows a direct proof of soundness for contextual 
equivalence which makes no use of the translation to first-order 7t-calculus and, more importantly, 
makes no restriction on types. 

The innovation here lies in the introduction of operators and (k -4= v) which simulate the 
triggers Trk and meta-notation {k := v} of Sangiorgi fill where k is a unique identifier for the 
trigger and v is a process abstraction. The crucial difference is that where Sangiorgi gives definitions 
as H07t terms for these devices: 

7>& = (x)k(x) and {k := v} = *k(x)v-x 

where k(x) represents an output on name k and *k(x)P represents a replicated input on name k, we 
leave the operators uninterpreted. There are no interactions between the operators Xk and (k •<= v). 
Rather, we just mimic the behaviour of triggers in the labelled transition systems. The benefit of 
doing this is that it allows us to obtain a direct soundness proof that (normal) bisimilarity implies 
contextual equivalence without recourse to any translation in its correctness proof. 

A challenge of approaching the problem in this way is that it is not immediately clear that 
bisimilarity will be complete for contextual equivalence in H07t. That is to say, it is not obvious 
whether each transition has a genuine H07t context which validates it. At this point however we can 
interpret the operators x* and (k -4= v) as H07t terms exactly as Sangiorgi does. It is then a simple 
matter to demonstrate completeness following familiar techniques EH7JI3. The real payoff is that 
not only do we obtain a direct soundness proof but the postponement of interpreting the triggers 
allows us to finesse any restrictions to finite types. 

The remainder of the paper is organised as follows: in Section 2 we recall the syntax and 
semantics of H07t along with the definition of contextual equivalence which we will be using. This 
is followed in Section 3 by a presentation of the novel labelled transition system using the operators 
Xk and (k<=v). We prove that bisimilarity over this labelled transition system is sound for contextual 
equivalence in Section 4 and conversely, that it is complete for contextual equivalence in Section 5. 
We conclude in Section 6 with some closing remarks. 

2. Higher-order n calculus 

Except for small changes in notation the language is as can be found in |[CD with three main 
differences: 

(1) We assume two distinct countably infinite sets of identifiers, ‘V and W, for variables and 
channel names respectively. In general we will use x,y,z to range over variables and a.b.c 
to range over channel names. This variable/name distinction makes the algebraic properties 
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Value Types 

Unit type 

ch[?1 

Channel type 

T ->o 

Abstraction type 

Z 

Type variable 

r ecZ.T 

Recursive type 

v ■ w 

Terms 

Application 

v(jc : T)P 

Input 

v(w)P 

Output 

if v = w then P else Q 

Matching 

v(o : T ). (P) 

Name creation 

P\\Q 

Concurrency 

*p 

Repetition 

0 

Termination 


Values 

Unit value 

a 

Channel name 

X 

Variable 

(x: T)P 

Abstractions 


Figure 1: The Syntax 


of the language a little cleaner and we are confident that the techniques proposed here would 
also be applicable if we identified these sets. 

(2) Since we have adopted a variable/name distinction, we have used Flonda and Yoshida’s 
definition of observational equivalence (6j in Section 12.41 rather than Sangiorgi’s. See El 
for a discussion of this issue. 

(3) We allow communication of channel names as well as process abstractions so that there is 
a core 7t-calculus as a direct subcalculus of F107t. 

2.1. Syntax. We present the syntax of H07t in Figure HJ The grammar of types for values includes: 

• (•): a singleton type just containing the value (•). 

• ch[r]: the type of channels which can be used for communicating data of type T. Note that 
in this paper we arc not considering input-only or output-only channels. 

• T —> o: the type of an abstraction (x : T)P. Such an abstraction can be applied to a value v 
of type T to return a well-typed process P[v/x]. 

• Z and r ecZ.T: these allow recursive types, such as the type for monomorphic 7t-calculus 
channels recZ.ch Z]. We require Z to be guarded : any free occurrence of Z lies within a 
subexpression of T of the form ch[t/] or U —> o. 

The grammar of process terms includes: 
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• v • w: the application of abstraction v to argument w. During execution, v will be instantiated 
by an abstraction of the form (x : T)P , and ^-reduction will give the process P[w/x], 

• v(x : T)P and v(w)P, which are the standard synchronous input and output of the Ji-calculus, 
except that since abstractions arc first-class values, we can communicate higher-order data 
as well as first-order data. 

• if v = w then P else Q : an equality test on values, where the type system will ensure that v 
and w are channels, and so we will never compare abstractions for syntactic identity. 

• v(a : T). (P), P || Q, *P and 0: the standard 7t-calculus processes for channel generation, 
concurrency, replication and termination. 

The grammar of values includes: 

• (•): the only value of type (•). 

• a and x: channel names and variables respectively. 

• (x : T)P : an abstraction, which can be applied to a value v to return a process P\v/x]. Since 
abstractions arc considered first-class values, they can be communicated on channels, or 
passed as arguments to other abstractions. This feature gives HOji its higher-order power. 


2.2. Reduction semantics. The reduction semantics for the language is defined in a standard man¬ 
ner: we first introduce the evaluation contexts 


£::=[•] | £ || P | Vfl.E 

Structural equivalence, = is defined to be the least congruence with respect to £ contexts such that 
it makes (||,0) into a commutative monoid and moreover satisfies 

va.(P||g) = va.PHG ifagfn(P) 

*P = *P || P 

We will now consider processes up to structural equivalence throughout the remainder. We define 

the reduction relation —> as the least precongruence with respect to £ contexts such that the 
following axioms hold 


(comm) 

(|3 — redn) 
(cond—tt) 
(cond—ff) 


a(v)P || a(x)Q 
(x)P • v 

if a = a then P else Q 
if a = b then P else Q 


P\\(x)Q-v 

P[v/x\ 

P 

Q (a yf b) 


In a standard notation we write to denote the reflexive, transitive closure of —> . 

2.3. Type system. We introduce a simple type system for the language which comprises types for 
channels and abstractions, together with recursive types. To allow us to infer recursive types for 
terms we make use of type isomorphism. We define this by letting ~/ vo be the least congruence on 
types which includes 

r ecZ.T T[recZ.T/Z\ 

A type environment T is a finite set of mappings from identifiers (channel names or variables) to 
types with the restriction that channel names a must be mapped to channel types of the form ch[T]. 
We write T./i : T to represent the environment made up of the disjoint union of T and the mapping 
n to T. We will call an environment closed if it contains mappings of channel names only and will 
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rh - : • 


r (v) = T 

Thv: T 


Y,x:T\-P 

YY(x:T)P:T^o 


YYv.T T~ iso U 
YYv.U 


r F v : ch[r],w : ch[T] 

ThP rh Q Y,a:TYP YYP, Q 

r h if v = w then P else Q Y F v(a : T ). ( P ) r F P || Q, *P, 0 

Fhv: T-k> YYw:T Y,x:T\~P rhv:ch[r] ThP Y F w : T rhv:ch[r] 
rhvw rFv(x : T)P rhv(w)P 

Figure 2: The Typing Rules 

write A to indicate this. Type inference rules for the calculus are given in Figured We will call a 
well-typed process, P, closed if it can be typed as A F P for some closed A. It is easily shown that 
subject reduction holds for closed terms for the reduction relation and type inference system given. 

2.4. Contextual equivalence. We will now define an appropriate notion of behavioural equiva¬ 
lence based on contexts and barbs. 

Contexts are defined by extending the syntax of processes by allowing typed holes [ t ] in 
terms. The type inference system is extended to contexts by using the rule 


r,r'-; T ] 

We write C[] to denote contexts with at most one hole and C P for the term which results from 
substituting P into the hole. 

For any given channel name a such that A F a : ch [■] we write A |= P JJ. a if there exists some 

P\P" such that P = vA 7 . ( a(-)P" || P') with a 0 A'. 

We use type-indexed families of relations { 3{ A \ between closed process terms to describe equiv¬ 
alence. We will write ‘P to refer to the whole family of relations and 

A \=PHQ 

to indicate that P and Q are well-typed with respect to A and related by ‘J\a- For general process 
terms we define the open extension 0 of a typed relation 'P as 

A,xi : T\,...,x n :T n \=P ^ Q 

holds if for every A' disjoint from A and every v,- such that A, A' h v,-: 7} (for 1 < i < n) we have 

A, A 7 |=P[vi,...,v„/xi,...,x„] 31 <2[v 1; ■ ■ • ,v„/xi,... ,x n ] 

Note that, in general, for closed terms A |= P 3^ Q is not equivalent to A ^ P ‘P “ Q as ° enjoys the 
weakening property that A, A 7 |= P 3t° Q whenever A |= P 3^° Q, even when ‘P does not. However, 
the contextual equivalence which we study in this paper is defined as an open extension and therefore 
will satisfy this weakening. 

There are a number of properties of type-indexed relations that we must define: 

Symmetry:: A type-indexed relation 3{_ is symmetric whenever A | =P 3^Q implies A |= Q 3{, P. 
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Reduction closure:: A type-indexed relation ^ is reduction-closed whenever A |\=P “K.Q and 

P P' implies there exists some Q' such that Q =? Q' and A |= P 1 3^ Q'. 

Contextuality:: A type-indexed relation A is contextual whenever T' \= P ‘R° O and f F CT-pl 
implies T |= C[P] %° C[Q\. 

Barb preservation:: A type-indexed relation is barb-preserving if A |= P ^ Q and A |= P JJ. a 
implies A |= Q 11 a. 

Definition 2.1 (Contextual equivalence). Let = be the open extension of the largest type-indexed 
relation which is symmetric, reduction-closed, contextual and barb-preserving. □ 

For technical convenience it will be useful to work with a lighter definition of contextuality. 
We say that a relation is ||-contextual if it is preserved by all contexts of the form [ -p ] | K and we 
let = p denote the open extension of the largest typed relation over processes which is symmetric, 

11-contextual, reduction-closed and barb-preserving. The following lemma demonstrates that this 
lighter definition is sufficient. 

Lemma 2.2 (Context lemma). T |= P = Q if and only if T \= P = p Q 

Proof. In Appendix |A] □ 

3. Full abstraction 

In this section, we will present a bisimulation equivalence for HOft, and show that this equiva¬ 
lence is fully abstract for contextual equivalence. 

3.1. Labelled transitions. We will use a labelled transition system to characterize = over higher- 
order 7t-calculus terms. The style of the labelled transition system differs a little from previous 
transition systems offered for H07t. Most notably, the nodes of the transition system are described 
using an augmented syntax rather than process terms alone. Specifically, for each k drawn from a 
countable set of names disjoint from W and V , we introduce two new operators: 

Zk and (k -P= v) 

with the intuitive reading that x k is an indirect reference to an abstraction and (k <= v ) stores the ab¬ 
straction to which k refers so that access to v is provided through interaction with k. The augmented 
syntax for nodes is given the grammar of configurations C obtained by extending Figure [2 with: 

v ::= ... (as Figure[I} ... | %k 

C ::= P J (jfc<*=v) | va:T. (C) | C || C 

We impose a syntactic restriction on the augmented syntax so that in any configuration C for any 
given k then (k <P= v) appears at most once in C. Structural equivalence and reduction lift to C in 
the obvious manner — note that there are no reduction rules given for x* and (k <= v} though. We 
augment the type rules by considering judgements of the form 

r ; 0 F v : T and f; 0hC 

where 0 represents a set of mappings from reference names to types T. The rules in Figure |2] are 
easily decorated with the extra 0 environment. The further rules required are given by 

&(k) = T &(k)=T f; 0hv:f-»o 

r ; 0 F X£-: r — ► o T ; 0 F (k v) 
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Nodes of our labelled transition system then are well-typed closed terms of the augmented language 
of the form 

(A;0hC) 

The transitions arc of the form (A ; 0 h C) (A ; 0 F C) or (A ; 0 F C) (A ; 0hC) where 
visible labels a are given by the grammar: 

a ::= va.a | vk.d{x k )\ \ \k.d(i k )l \ d(v)l \ d(v)\ 

where write d to mean either a channel name a or an indirect reference name k. The transitions are 
presented in Figures I3I4I5I The intuition for these transitions is (eliding types for readability): 

• P P'\ indicates that P is prepared to input a value v on channel a and then perform as 
P'. The type system enforces that v is a first-order value, and not an abstraction. Moreover, 
in this case both a and v are pre-existing values, and were not generated fresh for this 
transition. 

• P P': indicates that P has provided a named abstraction reference k to the environment, 
and that the environment is calling the abstraction with pre-existing argument v. 

• P vb ' a( ' b ' ) '> p’- indicates that P is prepared to input a fresh channel b on channel a and then 

perform as P’. This is the same as P —F P’, except that b is now a fresh channel generated 
by the environment, and has not been seen before by the process. 

• p v/ p’- indicates that P has provided a named abstraction reference k to the environ¬ 
ment, and that the environment is calling the abstraction with fresh argument b. 

• P P’\ indicates that P is prepared to input an abstraction / on channel a and then 

perform as P'. In this case, we do not record the abstraction itself in the label, but instead 
we just generate a fresh reference / to the abstraction. 

• P vl ' k Zi J p f - indicates that P has provided a named abstraction reference k to the environ¬ 
ment, and that the environment is calling that abstraction with argument /. In this case, k 
must be a higher-order abstraction, so is expecting an abstraction as an argument. Rather 
than recording the abstraction itself in the label, we instead generate a fresh reference / to 
the abstraction. 

• Each of the above input transitions has a dual output transition, where the role of the process 
and environment arc exchanged. 

We write a to denote the complement of an action a, which is defined to be the action a with the 

input/output annotation inversed. We will often write ==> to mean the reflexive transitive closure 

of —^ and > to mean > > . The following proposition states that the labelled 

transition system is well-defined in the sense that the transition relation only relates well-typed 
terms. 

Proposition 3.1. If A ; 0 F C and (A ; 0 h C) A (A, A' ; 0,0 ; h C) then A, A 7 ; 0,0 7 F C' is a 
valid typing judgement. 

Proof. Straightforward induction. □ 
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C-^C' (A;0hC)-^(A';0 , h C') 

(A;0hC)4(A;0hC') (A ; 0 F C || D) A (A' ; 0' F C' || D) 

(A,a : T ; 0 F C) A (A,a:T,A'\ 0,0'FC') (q0fn(g)) 

(A; 0hVfl:T.C) A (A, A' ; 0,0' \~\a\T.C 1 ) 

(A,b:T ; 0FC) (A,b:T ; 0FC') (J / 6) 

(A ; 0 F v& : 7\C) {A,b:T; 0hC') 

(A,b :T ; 0 F C) (A,fc : T ; 0 F C') (rf ^ fr) 

(A ; 0 h C) vM * )? > (A,6:7’; 0hC') 

Figure 3: Structural labelled transition rules 

3.2. Bisimilarity. We use a standard definition of (weak) bisimilarity to provide our characterisa¬ 
tion of = for F107i: 

Definition 3.2. We call a symmetric relation, 3^ , between nodes of the labelled transition system a 
bisimulation if whenever (n.m) we have 

T 

• n —y n! implies there exists some in' such that m ==? m! and ( n',m') 

Ot OC 

• n —> n' implies there exists some in' such that in => in' and (n! ,m') GA. 

Let bisimulation equivalence, or bisimilarity, ~ be the largest bisimulation relation. □ 

We will write 

A; 0 

to mean that A; 0hC and A ; 0 F D are valid typing judgements and moreover, they are related 
by ~ as nodes of the Its. In order to provide a bisimulation characterisation of = over F107t we will 
consider a subrelation of ~ by restricting our attention to nodes of the form 

(A ; HP) 

whose terms are clearly definable in F107t. We will simply write (when 0 is empty) 

A\=P^Q 

to indicate bisimilarity between such terms of F107t considered as nodes of the labelled transition 
system. 

3.3. Soundness of bisimilarity for contextual equivalence. We need to demonstrate that bisimi¬ 
larity implies contextual equivalence for all F107t processes. In particular, because of Lcmma l2~2l 
we need only show that bisimilarity is contained in some symmetric, reduction-closed, barb pre¬ 
serving and j|-contextual relation. The key to achieving this is to study the || -context closure of 
bisimilarity. If we can demonstrate that this is reduction-closed then we have our result. To do this 
we must establish a decomposition theorem for interactions. For instance, if P and Q are bisimilar 
and we compose each of them with a process R then suppose 















CONTEXTUAL EQUIVALENCE FOR HIGHER-ORDER 71-CALCULUS REVISITED 


9 


T ~i S0 u -> o 

(A ; 0 F a{x : T)P) vLa{Zk) \ (A ; 0,k : G F (x : T)P ■ z k ) 

_ ®(k) ~iso T —> o _ 

(A; 0h(^v)) v/ ' t<T,)? > (A; ®,l:T\~v-Zi || (k<=v)) 

A ; 0 F v : T —» o 

(A ; 0 F a(v)P) vk ' al ' x ^\ (A ; ®,k : T F (k <= v) || f) 

_0(fc) _ 

(A; 0Fx*-v) (A; 0,Z: T F (Z 4= v)) 

Figure 4: Basic higher-order labelled transition rules 

represents an interaction between P and R. We decompose this into complementary actions 

P4P' and R A /?' 

respectively. Note however that S is not necessarily obtained by a parallel composition of the targets 
of the transitions: P' || R'. Instead, P' and R' may contain indirect references and their corresponding 
resources. These need to be matched up correctly to obtain S. We achieve this by introducing the 
merge (partial) operator ((■)) which will match up these terms and replace every indirect reference 
to an abstraction with the abstraction itself. We write 

C[v/z k ] 

to denote the substitution of the value v for every instance of the indirect reference x A . We define 
((C)) then as the operator on terms of the augmented syntax (up to =) such that 

((C)) = C if C doesn’t contain (k <= v ) for any k,v 

((v(a : T). ((k 4= v) || C))) = ((v(a : T) . (C[v/x A ]))) ifx A ^v 

Intuitively, this says that we substitute any values stored at a (k<= v) through for the corresponding 
X A . Note that this need not substitute for all the indirect reference identifiers in C. It is clear that the 
above definitions are only partial. For example, if C contains an occurrence of (k <^= v) for which 
X/. occurs in v, then ((C)) is undefined. In order to identify for which terms the merge is defined we 
make use of the notion of reference graph : For a term C we define the graph rg(C) to be the graph 
which has nodes as the indirect reference identifiers k in C and edges 

k i—^ / if X/ e v for (k <= v) in C 

Proposition 3.3. ((•)) is a well-defined partial function such that ((C)) is defined if and only if rg(C) 
is acyclic. 

Proof. Given in Appendix |B] □ 
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Ah v :T a base type 

(A; 0b a[x:T)P) ^ (A ; 0 h (x : T)P ■ v) 

&(k) =T A h w : T a base type 
(A ; 0 h (k <F= v)) (A ; © b v -w || (k <= v)) 

A b v : T a base type 
(A ; 0 b a(v)P ) (A ; 0 b P) 

Q(k) = T T a base type 
(A; 0bt t .-v) ^ (A; 0 b 0) 

Figure 5: Basic first-order labelled transition rules 

Lemma 3.4 (Composition/Decomposition). For A ; 0bC,D 

(i) If «C || D))=E and 

(A; 0bC) A (A, A'; 0,0'bC') and (A ; 0 b D) A (A, A' ; 0,0' b D') 
then there exists a E' such that E > E' and {(vA'. (C || D'))) = E' 

(ii) If ((C)) = E and C —> C then there exists a E' such that E —> E' and ((C)) = E' 

(iii) If ((C || D)) = E and E —> E' then one of the following hold 

C —> C' with ((C || D)) = E' 
or D —> D' with ((C || D')) = E' 

or (A ; 0 b C) =^> (A, A 7 ; 0,0' b C') and (A ; 0 b D) (A, A'; 0,0' b D') with 
((vA'. (C' || D'))) = E'. 

Proof. Paid (ii) is straightforward as the merge operator (()) simply removes subterm of the form 
(k v), which can’t be involved in reductions, and substitutes higher-order values through for 
variables of higher-order type. Reductions are based on structure alone except for the conditionals 
which can be affected by first-order substitutions of channel names only. 

To show (i) we must consider all the possible cases for a. By symmetry there are four distinct 
pairs of complementary actions. We only consider the cases where a is vk. a ('ey) ? and v/. k(z/)l as 
the first-order actions can be treated similarly. 

Case: A; 0bC ^ . q ^ : jj \- q' an d A ; 0 b D vk ' a C')- > ^ ; jj b D 1 . By inspection 

we see that 

- C = vA'. (a(x : T)P || C") with T ~ iso U -*■ o 

- C' =vA'. ((x: T)P-x k || C") 

- D = vA" . (a(v)Q || D") 

- D’ = vA" . ((^ d= v) || Q || D") 
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It is easy to see that ((C || D)) —> ((vA', A". ((x: T)P■ v || C" || Q || D"))) let us call the target 
of this reduction E'. We simply need to check 

E' = ((vA',A". ((jt : T)Pv || C" || Q || D"))) 

(x, 0 v) = ((VA'. ((*: T)P ■ z k || C") I! vA" .(<*«= v> || g II D"))) 

= {{c\m 

Case: A;0hC vLk(z ‘> l_ > A . © ; ; T h C' and A ; 0 h D vLk(x ‘ l L A ; 0,/ : T \~ D'. Again, by 
inspection we see that 

- C = vA'.((*4=v) || C") 

- C'=vA'.(vx, || (k^v) || C") 

- D = vA". (xt • w || D") 

- D' = vA" .((l 4= w) || D") 

Note that the previous proposition tells us that rg(C || D) must be acyclic — in particular, 
T k v. Here we see that 

«C||D» ee ((vA',A". ((k 4= v) || C" || %k -w II D"))) 

(T^v) = ((VA',A ".((k<=v) || C" || v-w || D"))) 

(T, 0 v,w,C",D") = ((VA', A" .((*<= v) || C" || v • t, || (/ ^ w) || D"))) 

= «c'IU>'» 

So by letting E' be ((C' || D')) we note that ((C || D)) > E' as required. 


To show (iii) we suppose ((C || D)) = E and that E —> E'. We must consider all possible ways 
in which this reduction can occur. If the reduction arises from a conditional then it is clear that we 
must have C —» C' or D —> D' for some C' or D'. Moreover it is easy to check that ((C' || D)) (resp 
((C || D'))) = E'. There arc two more possibilities to consider: 


Case: the reduction arises from a p-rcduction. In this case either C —> C' or D —> D' as above and 
the result follows easily, or v is (x : U)P and 

- C = vA'. (X/t • w || C") with all names in A' appealing in w 

- D = vA" . ((k <= v ) || D") with x* ^ v 

- E'= ((vA', A". (P[w/x\ || C" || ( k <= v) || D"))) 

or a symmetric version of these with the roles of C and D reversed. So we notice that if 
U ~i so T -»qwe have 


A; 0hC 


vl.k{xi)\ 


A : 0, /: T h C' 


A; 0hD 


v/.fc<x ( )? 


A; Q,l:T\~D' 


where C' = vA'. ((/ 4= w) || C") and D' = vA" . (P[t//jc] || (k 4= v) || D"). We check: 


((C II D')) = ((VA'. ((/ 4= w) II C") II vA". (PIT,A]) || (k 4= v) II D"» 

(X/ ^ v, w,C",D") = ((VA', A" . (C" || P[wA] || (k 4= v) || D")» 

= £' 


as required. Alternatively, it could be that U is a base type, in which case 

vA '.k(w)\ , , vA '.k(w)l , , 

A; 0hC- -AA,A';0hC' and A ; 0 h D =4- A, A' ; 0 h D' 


whereC' = C"andD' = vA".(P[wA] II (k4=v) ||D"). It is easy to check that ((C' || D')) =E' 
as required. 
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Case: the reduction arises from communication. Again we see that either C —> C or D —> D f , in 
which case we easily obtain the result, or 

- C = vA 7 . (a(v)P || C") 

- D = vA" . (a(x :T)Q \\ D") 

- E' = ((vA' . (P || C") || vA" . ((jc : T)Q ■ v || D"))) 


or a symmetric version of this with the roles of C and D reversed. Again we must consider 
whether the type T is a base type or higher-order. We omit the details of the former case. 
Suppose then that A ; 0 I- v : T ~ iso (/->«we know 


A; 0hC 


\k.a(%k)\ 


A; ®,k:U\~C' 


and 


A; 0FD 


vA'.a< T*)? 


A; @,k:U\~D' 


where C' = vA' .((k<=v) || P || C") and D' = vA" ,((x:T)Q- Xk || D"). We check: 

«C'||D')) =e «vA'. ((k d= v) || P || C") || vA". ((x : T)Q-Xk || D"))) 
(x k £ v,P,C",D ") = ((vA', A" . (P || C" || (x : T)Q • v || D"))) 

= E' 


as required. 


□ 


Definition 3.5. Let be defined to be 

A ; 0 |= ((Ci || D)) ps ;n ((Ci || D)) if and only if A ; 0 |= Ci « C 2 and A ; 0 h D 
whenever ((Cj || D)) and ((C 2 || D)) are defined. □ 

Note that in the case where 0 is empty we have that ((C, || D)) =Cj j| D. and hence ~ m and = p 
coincide. 


Lemma 3.6. ~ m is reduction-closed. 

Proof. Follows easily from the previous lemma. Take A ; 0 |— ((Ci || D}) ((C 2 |j D)) and suppose 

((Ci || D)) —> E. We must show that ((C 2 || D)) —> E' for some E' such that A ; 0 |= E ~ m E'. We 
know from Pail (iii) of the previous lemma that one of three cases must hold. Either, Ci —> C(, 

D —¥ O' or there are complementary actions from both Ci and D. We only deal with the last case 
as the others follow easily from the hypothesis that A ; 0 |= Ci ~ C 2 and Paid (ii) of the previous 
lemma. 

We have then that A ; 0 h Ci ==> A, A'; 0,0' F C\ and A ; 0 P D ==> A, A'; 0,0 ; D' such 
that E = ((C( || D')). We know by hypothesis that there must exist some 

A; 0 F C 2 ==> A, A'; 0,0'FC^ 

such that 

A, A'; 0,0' |= C\ ss Ci. (f) 

We can now use Parts (i) and (ii) of the previous lemma to see that ((C 2 || D)) > E' such that 

E' = ((C' 2 || D')). Note that (f) guarantees A ; 0 |= E ~ m E' to finish. □ 
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Theorem 3.7. For all closed terms P, Q of HOti: 

A |= P « Q implies A |= P = p Q 
Proof. We let denote the relation 

A, A' )= (P || R) Ki p (Q || R) iff A \=P « Q and A,A' h R 

It is easy to see that ~ /; is a ||-contextual relation over terms of HOti. It is also easy to see that ~ /; 
is symmetric and barb preserving and coincides with for closed terms of HOti, thus Lcnima lThl 
can be instantiated to demonstrate that K, p is reduction-closed and, given that = p is defined to be the 
largest symmetric, ||-contextual, reduction-closed, and barb-preserving relation over terms of HOti. 
then we have our result. □ 


Corollary 3.8 (Soundness). For all terms P. Q of HOti: 

r |= P Ki° Q implies r |= P “ Q 

Proof. Follows from the previous theorem and Lemma 1X21 □ 


3.4. Completeness of bisimilarity for contextual equivalence. The interactions described by the 
labelled transition system are not obviously derived by genuine contextual observations in HOti be¬ 
cause of the use of the extra syntax for indirect references. In order to show completeness of our 
bisimilarity for contextual equivalence we must demonstrate that the indirect references arc in fact 
definable as terms of the language proper. Following Sangiorgi ns, we implement the implicit pro¬ 
tocol outlined by the indirect references by using the following translation of the augmented terms 
into HOti: 


Ph : T l ,...,k n : T n ]] 
[T; 0 F C]\ 

Me 
IK*<= v)]|e 


k\ : ch[7i],...,*„ : ch[r„] 

r, [[©]] f- iq 0 

(x:T)k(x) 0 if &(k) = T 

*k[[v]}& 


The translation acts homomorphically on all other terms. We abuse notation here by using identifiers 
k as channel names in the translation. It is evident that this translation is well-defined in the sense 
that the translation of well-typed augmented terms are indeed well-typed terms of HOti. 

We would now like to prove a correspondence between reductions from the terms of the aug¬ 
mented syntax and reductions between their translations. However, we note that in translating a term 
containing both (k <= v) and x* we provide matching input and output prefixes, which, in HOti may 
create a communication which was not possible in the source term. This turns out not to be of par¬ 
ticular concern to us though as we see that if we starting with terms of HOti, then terms reachable 
by transitions are balanced in the following sense: we call a term C of the augmented language 
balanced if for each k then C contains at most one of x* (possible multiple times) or (k <t= v). Un¬ 
fortunately the translation may introduce extra reductions which aren’t present in the source term. 
These arise through the translation of terms of the form x* ■ v. Note that 


[[xj; • v]] = (x: T)k(x)0 ■ [[v]] k([[v]])0 

but Xfc • v has no corresponding reduction. We will identify these rogue reductions as housekeeping 

reductions and indicate them with —> defined as any reduction which can be derived using the 
axiom 

(h—redn) (x:T)k(x) 0-v —> k(v )0 


Lemma 3.9. If A ; 0 h C is balanced then 
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( 1 ) If c =► C then [[C]] 0 =^> |[C 7 ]] 0 

(2) If [[C]] 0 =>■ P then [[C]] 0 =^> [[D]] 0 —>* P for some A ; 0 F D such that C -> D. 

Proof. We will omit mention of the environment 0 in the proof as it plays no role. Part [I] is straight- 
forward. For Part |3 we use induction on the length of the reductions. If there are no reductions 

then we are done. We examine the base case in which [[C]] —> P. If this reduction happens to be a 
housekeeping move, that is, [[C]] P then there is nothing to prove. Suppose otherwise, then it is 

not too difficult to check that P = [[£>]] for some D such that C —> D. For the inductive case suppose 
that 


m 


=> p 


(t) 


By inspecting the translation [[• 


] and using the fact that C is balanced we see that 
h „ rr „„ h 


Q implies [[C]] 


Q 


thus we may assume that the first reduction in (f) above is not of the form -X . This means that 

[[C]] —> |[C 7 ]] > P for some C such that C —> C'. It is clear that C is also balanced so we may 

apply the inductive hypothesis to 




=>•p 


to obtain a D such that C = 
C —>C' 


=> D' and [[C'J] = 
==> D and 


[[D]] P. Putting these together we obtain 


ri] - rii 


m 


as required. 

When A' is of length at most one, we shall write 8(A / ) as shorthand, defined: 

8(0} =8(-) 8(a : T) = 8(a) 


□ 


a 

Moreover, note that whenever (A ; 0 h D) > (A, A' ; 0,0' F D'), we have that A' has at length 
most one, and so 8(A') is well-defined. 


Proposition 3.10. For each a, A and fresh channels 8,8' of appropriate type given by a and A, there 
exists a process T a A (defined in Figure |6]i in HOji such that if 

A; 0hC-^A,A'; 0,0'hC' 

then 

A,[[0,0']],8:ch[ro],8':ch[-]FT a A ’ [[011 

and moreover, for balanced D 

(A; 0FD) (A,A 7 ; 0,0'ht)') 

if and only if A ; 0 P D and 

Ta’ 101 II [[£>]]© =► vA 7 . (8(A 7 ) || P) with [[D% 0 P 
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Proof. It is straightforward to check that A, [[©,©']], 8 : ch [7fi], 5 ; : ch [•] F T H A whenever 

A; 0FC A A,A'; 0,0'hC'. 

For the remainder, to show the ‘only if’ direction we use Lcmma 13.91 Part |T] to reduce our obligation 

OC 

to the case of a single transition —>, and we must consider each label a. By way of example we 
show the case for a = v/. k(xi )! (the other cases can be treated similarly). Suppose: 

(A; 0FD) A (A; 0,/:DFD'). 


then we know that 

D = vA". (t* • v || D") 
and 

D’ = vA" . ((/ <t= v) || D"). 

We see that for T ~/ i0 U —* o 

‘Ta 1 ® 1 || [[D]] 0 ee k(x:T)(*l(y.U)x-y || (5()®5'<))) || vA". (((z: T)k(z)0) ■ [[v]] 0 
=► (5() ® 8'0) || vA". (*l(y : D)[[v]]© -y || TO 

=► S<) || mew 


as required. 

For the converse direction we suppose that 


l[D"h) 


*a' E ®Ml[[D]] 0 =>vA'.(S<A') ||P) 

Again, we must perform a case analysis on a. We show the case in which a is v/. k(x/)? (the other 
cases can be treated similarly). We know A' is empty so T a A '^ || [[D]]© > 8() || P. Note that 

‘Ta ' () has no reductions of its own and can only interact with [[D]|© so we can detail the assumed 
reductions as 


t A[[ 

i a 


Me =► Pa A ’ [[0]1 II Po - (8() ®8'()) II Pi => S<) II P 


where [[ZD]] =>• P 0 and Pi -> P. We assumed that D is balanced so Le m m a 13.91 Pa it [3 a p p 1 i cd to 

[[ZD]] > P 0 tells us that [[ZD]] > [[Do]]© -^>* Po for some Do such that D -: ■ Do- We know that 

Po is obtained from [[Do]]© by housekeeping reductions and that it interacts with T a A . This tells us 
that we must have the forms 

P 0 = vA". (*%]]© || Pq) 

and 

Pi = vA" . ([[v]]© • [[X/]]© / : (/ || *k[[v]]© || Pq) 

This in turn tells us that 

D 0 = vA".((k^v) || Dp) 
such that [[Dq]]@ Pq. Now it is clear that 

(A ; 0 F D 0 ) vLk{zl) \ (A; 0,/:(/)FDi) 
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rr A 

d(v)1 

rr ^ 

2 d{v)\ 

= d(v)( 8()©8'<)) 

= d(x : P)ifx = v then (8() ©8'(}) else 0 

where A (d) = ch[P] 

rr ^ 

1 \b.d(b)l 

= vfi:P.(d(fi)(8<fi)ffiS'())) 

where A(d) = ch[P] 

rr A 

1 \b.d(b)\ 

= d(x : T) if x 0 A then (S(x) ®8'()) else 0 

where A (d) = ch[P] 

rr A 

W k.d <T*)? 

= d{(x:U)k{x) 0)(8()©8'0) 

where A (d) = ch[P] and T U —>■ o 

rr A 

1 \k.d{ X k )\ 

= d(x:T)(*l(y:U)x-y ||(3<>©S'<») 

where A(d) = ch[P] and T ~ iso U o 


© represents an encoding of internal choice in H07t 
if x fL 0 then P else Q = P 

if x 0 (a: T, A) then P else Q = if x = a then Q else if x £ A then P else Q 


Figure 6: Testing processes for labelled transitions 


where D\ = vA" . (v ■ X; || (k <= v) || D'f). We check 

mew = VA". (Me • Mew II *%]] II Me) 
vA". (Me ■ MWu || *%]] II p o) 

= Pi 

==> P 

Therefore [[Dj]] ==> P and we can apply Lem ma lT^I Partial to this to see that [[Dj] ==> [[D']] P 
for some D' such that D\ =>■ D'. By collecting the above together we obtain 

(A; 0PD) ==► (A; 0hD o ) A (A; 0,Z: U \~ D\) => (A; &,l :U \~ D') 
with |[D']] ®j : u -h>* P as required. □ 

Lemma 3.11 (Extrusion). If A |= vA' . (S(A') || P) 2* p vA' . (S(A') || Q) then A, A 1 \= P 2* p Q. 

Proof. Follows a similar argument found in (7J: define a relation such that 

A,A'\=P^Q iff A HvA , .(5(A / ) |M) = P vA , .(8(A / ) || 2) 

and show that ^ is barb-preserving, reduction-closed and ||-contextual. These properties follow 
from the corresponding property for = p and an extra piece of context to interact with 8 (A'). □ 

Theorem 3.12 (Completeness). For all closed terms P. Q of H07t: 

A |= P = p Q implies A |= P ~ Q 

Proof. We define over terms of the augmented language to be 

A ; 0 |= C D iff A, [[0]] )= [[C]] 0 [[D}] @ 

and show that ^ is a bisimulation. Take A ; 0 | =C ^ D and suppose that 

(A; 0FC) A (A, A'; 0,0' PC'). 

We know from Proposition 13. lOl that 

A,[[0,0%S:ch[7b],S':ch[.]P^ 0]1 

and that 

'Ta A ' I0]1 |ir]]0=>vA'.(8(A') ||P) 
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with [[C 7 ]]©.©/ -^* P. We know that 

Mmh[[Ch= P [[D]] & 

by the definition of 9^, and hence, by contextuality we also have 

A, [[©,©1,5: ch[7b],8': ch[-] |= T A « || [[C]] 0 T a A ’ I0]1 || [[D}} @ 

This tells us that 

?a A ’ [[011 II me => Q' 

such that 

A, [[0,0']]hv^(5(A , > (f) 

But by the construction of T H A; ^ we notice that vA'. ( 8 (A 7 ) || P) barbs on 8 but not on S'. Therefore, 
by the preservation of barbs property of = p , we know that Q' must also barb on 8 but not on S'. This 

constrains Q' so that Q' = vA 7 . (S(A 7 ) || Q). We apply Lemma IThl Part U\ to T r f' 0 ^ || [[£>]]© - > Q' 

to see that there is some D" such that tT r f' 0 j| [[D]]© ==> [[ZD"]]©.©/ vA 7 . ( 8 (A / ) || Q ) from which 

it clearly follows that D" = vA'. (S(A') || D') and [[ZD']]© ©/ Q. We use Proposition 13. 101 again to 
see that 

(A ; 0 h D) (A, A 7 ; 0,0'hP') 

and we now must show that A, A' ; 0,0 7 | =C' D' . To do this we use Lemma l3.1 li on (f) (note 
that Q' = vA 7 . ( 8 (A 7 ) || Q)) to see that A, A 7 , [[0,0 7 ]] |= P = p Q. It is also easy to check that h- 
reductions are confluent with respect to all other reductions and hence preserve contextual equiva¬ 
lence, that is -^>*C= P , so we also have A, A 7 , [[©, 0 7 ]] |= [[C 7 ]]©,©/ = p [[Z> 7 ]]© @/ because [[C 7 ]]©.©/ P 

and [[ZD 7 ]]© ? 0 / A* Q. This allows us to conclude A, A 7 ; 0,0 7 |= C' D' as required. 

We must also consider transitions of the form 

(A;0hC)4 (A, A 7 ; 0,0' hC 7 ). 

These can be dealt with as above but in this case no is needed. □ 

Corollary 3.13 (Full abstraction). For all terms P. Q of H07t: 

r |= P Q if and only if F \= P = Q 

Proof. Follows from Corollary 13.8| Lemma l2.2l and the previous theorem. □ 

4. Concluding remarks 

We have re-examined the use of labelled transitions to characterise contextual equivalence in 
the higher-order 7 t calculus. The technique of augmenting the core syntax with extra operators to 
assist in the definition of the labelled transitions allows use to give a direct proof of soundness of 
bisimilarity for contextual equivalence. This advances Sangiorgi’s analagous result by allowing 
recursive types also. 

We believe that the technique of using extra operators to describe the points of interaction with 
the environment in the Its is fairly robust and should be applicable to many higher-order languages. 
Indeed, this was the approach that the authors developed for their work on concurrent objects 0. 

We have only concerned ourselves with the characterisation of contextual equivalence in H07t and 
so far have not studied Sangiorgi’s translation of higher-order to first-order mobility. Thus, the re¬ 
striction to finite types for his translation is still necessary. It would be interesting to investigate 
whether the current work could be of use in removing this type restriction for his translation also. 
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Appendix A. Proof of The Context Lemma 
W e recall the statement of Lemma lX^l and detail its proof here. 

r\=P^Q if and only if T| = P= p Q. 

The force of this lemma is to show that the simplified form of observational testing allowed by = p 
is sufficient to capture the power of full contextual testing. In order to prove this we essentially need 
to show that = p is preserved by the operators of H07t. For the most part, this can be done directly 
and is stated in Lemma lATl below. 

Lemma A.l. 

(1) If A,x '■ T \= P = p Q and A h v : P then A |= (* : T)P -v^ p {x: T)Q • v. 

(2) If A,x '■ T \= P = p Q and Aha: ch[P] then A |= a(x : T)P = p a(x : T)Q. 

(3) If A |= P = p Q, A F w : T and A F a : ch[P] then A f= a(w)P = p a{w)Q. 

(4) If A (= Pi = p Qi and A |= P 2 = p Q 2 then A |= if v = w then Pi else P 2 = p if v = w then <2i else Q 2 . 

(5) If A,a : T \= P = p Q then A |= v(a : T). (P) S * p v(a : T ). ( Q ). 

(6) If A 1= Pi <* p Q\ and A \= P 2 Q 2 then A |= P v || P 2 ^ p Q x || Q 2 . 

(7) \f A\= P = p Q then A ^ *P = p *Q. 

Proof. The majority of these are straightforward by exhibiting appropriate symmetric, reduction- 
closed, 11-contextual, barb-preserving relations. As an example of this we show the case for input 
prefixing (Case[2]). We define so that = p C % and moreover 

A | =a(x: T)P || R A a(x : T)Q || R for any A h R (f) 

It is clear that 3^ is symmetric, barb-preserving and ||-contextual so if we can show that it is 
reduction-closed then we may conclude that 3^ coincides with = p and we have our result. 

Suppose that (f) holds and 

a{x : T)P || R —*■ P'. 

We know then that either R —> R' and P' = a(x : T)P || R' or the reduction came about by in¬ 
teraction, that is P = vA'. ( a(v)R" || R'") with a f A' and by writing R' for R" || R'" we have 

P' = vA'. (P v’/.v] || R') for some A, A' h v and A, A' h R'. If the former is true then we see im¬ 
mediately that 

a{x : T)Q || R —> a{x :T)Q || R' 

where 

A | =a(x: T)P || R' 31 a(x : T)Q || P'. 

If instead the latter is true then we use the fact that 

A,x : F |= P —p <2 

to see that A, A' |= P[v/jc] = p Q{v/x] and note that 

a{x : T)Q || P —► vA r . (Q\v/x\ || P') 
where (using j|-contextuality and CascEJi 

A |= vA ; . (P[v/x] || R') vA'. (Q[v/x] || R’) 


as required. 


□ 
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Notice that there are two particular cases which are not covered by this lemma: application of 
a function to, and output of higher-order = p -related values (c.f. Corollary IA. lil t. Establishing that 
= p is preserved in these cases can be done directly but is a little more involved. We notice that the 
property we require in both cases follows immediately from Substitutivity (cf. Corollary IA. 1(H , that 
is (ignoring types): 

if P Q then R[{x)P/y\ R[(x)Q/y\. 

The remainder of the appendix is devoted to achieving this. The proof follows a very similar scheme 
to the proof of Proposition 4.2.6 in d but simplified to avoid any use of induction on type as 
appeared there. 

Lemma A.2. If A h (jc : T)P ■ w then A |= (x : T)P ■ w = p P[w/x). 

In the following we will make use of a “bisimulation up to” argument d- 
Definition A.3. A type-indexed relation is reduction-closed up to (=, = p ) whenever A | \=P Q 

and P — > P' implies there exists some Q' such that Q -; ■ Q' and A |= P' ‘J\, = p Q'. □ 

Lemma A.4. For any type-indexed relation which is symmetric, reduction-closed up to (=, = p ), 

11-contextual and barb-preserving, C = p . 

Definition A.5. We say that x is (un)guarded in P whenever: 

(1) if x ^ P then x is (un)guarded in P, 

(2) if x 0 w then x is unguarded in x-w, 

(3) iiv y^x then x is guarded in v ■ w, 

(4) x is guarded in v(y : T)P, v(w)P, and if v = w then P else Q, and 

(5) if x is (un)guarded in P and Q then x is (un)guarded in v(a : T). (P), P\\Q and *P. □ 

LemmaA.6. For any A.y : T —> o F R with y guarded in R and for any A F v : T —> o and A F vv : T —»o, 
if R[v/y\ —> R' then R' = R"[v/y\ for some R" and moreover, R[w/y\ —> R"\w/y\. 

Proof. We first observe that as A F v : T —> o it must be the case that v is an abstraction and not 
a channel name. From this it is routine to check that the required property holds for the reduction 
axioms. Furthermore, if y is guarded in £ \P] then y is guarded in P and so the required property is 
preserved by reduction in evaluation contexts. □ 


Lemma A.7. For any P and x we can find Q and y such that x is guarded in Q , y is unguarded in Q 
and P = Q[x/y\. 

Proof. A routine induction on P. □ 


Lemma A.8 (Unguarded Substitutivity). If A,x : T \= P = p Q and A,y : T —» o \- R and y is un¬ 
guarded in R then A \= R[(x : T)P/y\ = p f?[(x : T)Q/y\. 

Proof. We proceed by induction on the structure off?. If y (f R then the result is immediate. If R is 
not of the form v • w, the result follows easily by induction by making use of Lcnmia lA. 1 1 Otherwise, 
since y is unguarded in R we must have that R is of the form y ■ vv with y f vv. Hence: 


A |= R[(x : T)P/y\ = (. x:T)P-w 

= P p[w/A 

=p Q[w/x] 

=p ( x:T)Qw 
= R[(x:T)P/y] 


(as R=y-w and y ^ w) 
(by Lemma lA~2l 
(by hypothesis) 

(by Lemma lA~2l 

(as R = y ■ w and y ^ w). 


as required. 


□ 
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Lemma A.9 (Guarded Substitutivity). If A,a : T \= P = p Q and A ,y : T ->oh R and y is guarded 
in R then A |= R[(x : T)P/y\ = p R[(x : T)Q/y\. 

Proof. Let be defined as 

A \= R'[(x : T)P/y\ R'[(x : T)Q/y\ whenever A ,y :T —► o F R 1 and y is guarded in R' 

We show that is symmetric, reduction-closed up to (=.= p ), j|-contextual, and barb-preserving 
and so the result follows by Lemma I A. 41 Symmetry, j|-contextuality, and barb-preservation are 
direct. For reduction-closure up to (=,= p ) we suppose: 

R'[(x : T)P/y] — R" 

By Lcmma [A~6l wc have that R" = R'"[{x : T)P/y and moreover: 

R'[{x-.T)Q/y\^R'"{(x-.T)Q/y\ 

We use Lemma IA.7I to find a R"" and z such that y is guarded in R"", z is unguarded in R"" and 
R'" = R”"\ z /y\. Hence: 

R" = R"'[{x : T)P/y\ (from above) 

= R""[{x : T)P/y, (x : T)P/z\ (from above) 

HI R""[(x : T)Q/y , (x : T)P/z (from definition of and y guarded in R""[(x : T)P/z\) 

—p R""[{x : T)Q/y, (x : T)Q/z] (from Lemma COI and z unguarded in R""[{x : T)Q/y\) 

= R'"[{x : T)Q/y] (from above) 

as required. □ 

Corollary A.10. If A,x : T \=P = p Q and A,y : T —> o\~ R then A |=7?[(jc : T)P/y\ = p i?[(jc: T)Q/y\. 
Proof. Follows from Lemmas lA.7IIA.8l and fA.9l □ 

Corollary A.ll. 

(1) If A,x .T \=P = p Q and Ahv:I->o then A\=v-{x: T)P = p v-(x: T)Q. 

(2) If A,jc : T \= P Q, A F a : ch[T -f o] and A F R then A |= a{(x : T)P)R = p a((x : T)Q)R. 

Proof. Follows from Corollary IA.10I □ 

Proof of Lemma 12.21 The ‘only if’ direction is immediate. For the converse it is sufficient to 
show that = p is preserved by each process operator of H07t as demonstrated by Lemma [X. H and 
Corollarv lA.llI □ 


Appendix B. Merge is a partial function 

Proof of Proposition l3.31 We consider the rewriting relation -» which we will define as the one-step 
rewriting used to define the merge operation: 

C -» / if C doesn’t contain (k <= v) for any k,v 

v(a : f). ((k <t= v) || C) -»■ v(a : f ). (C[v/t*]) if x* ^ v 

It is easy to see that -» is a terminating rewriting relation. Moreover, the rewriting will terminate 
with a / from C (so that ((C)) is defined) exactly when rg(C) is acyclic. To see this we consider the 
effect of -» on reference graphs: for 
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the reference graph of (k <= v) || C has the node k removed and any edges such that 

l' i—► & i—► l 

for /'. / ^ k, arc replaced with an edge 

/' 1 

all other edges involving k are removed. So if node k is involved in a cycle before rewriting occurs, 
that is 

1 1 —>* k i —>* 1 

for some Z, then either it is a tight loop , that is / = k and k ha k, or / / k and the cycle still exist after 
rewriting as Zt—C l. The side-condition on the rewrite rule forbids tight loops hence we see that -» 
preserves cyclicity. That is: 

if C -» C' then rg(C) is acyclic if and only if rg(C') is acyclic. 

Now, suppose that ((C)) is defined. We know that there exists a finite sequence 

C —Cj —• • * —^ Cfj —» •/ 

with ((C)) = C n . We know that rg(C„) is acyclic as it contains no edges. Thus, rg(C) is acyclic also. 
Conversely, suppose that rg(C) is acyclic. Then as -» is terminating there must be a finite sequence 

C —" Cj —• • • —^ C n 

such that C„ cannot be rewritten. There are two possibilities for this: either rg(C„) contains a tight 
loop, or C„ is /. We see that rg(C) is acyclic, so C„ is acyclic too and therefore cannot contain a 
tight loop. Thus C„ is / and ((C)) is defined. 

To show that ((•)) is a well-defined partial function it suffices to show that it is strongly confluent 
for acyclic terms. Note that if \a : T. (C) -» C then either C l is / or C' = \a : T. (C") such that 
C -» C". So without loss of generality suppose that 

C -» Ci and C -» C 2 

for 

C = C[\\ (ki-^vi) and C = C' 2 || {k 2 4= v 2 ) 

so that 

Ci = C[ [vi/xjtj] and C 2 = C' 2 [v 2 /x k2 \. 

So either, k\ = ki in which case Ci = C 2 or k\ ^ Z 2 and 

C\ = C 3 || (k 2 ^ v 2 ) and C 2 = C 3 || (kj ^ v x ) 

We notice that 

Ci = C[[v i/x tl ] 

= (C 3 || (/l 2 <^= V 2 ))[vi/T tl ] 

= C'tvi/x^] II (k 2 < 4 = v 2 [vi/Tyfcj]) 

(acyclicity implies 0 v 2 [vi /x kl ]) -» C 3 [vi /x kl } [v 2 [vi/T fel ]/x fe ] 

= C'[vi [v 2 [vi / T/fcj ] /T fe ] /t*! , v 2 [vi /T tl ] /x k2 ] 
(acyclicity) = C([v i[v 2 /T fe ]/T/t 1 ,v 2 [vi/T/ tl ]/T fe ] 

(def) = C 3 

By a symmetric argument we see that C 2 -» C 3 [v 2 [vi /]/x* 2 , vi [v 2 /x* 2 ]/x*j ] and, by definition, this 
is just C 3 so we have C 2 -» C 3 . Thus -» is strongly confluent for acyclic terms and hence ((•)) is 
well-defined. □ 
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